Fix missing setuid flags on COPY --from=build operation (#2089)

* Fix missing file permissions on multi-stage build Fixes #2075 When a file with the setuid bit is copied from one stage to another, the permissions were not copied over properly after setting ownership on directory and the file itself. * Update pkg/util/fs_util.go Co-authored-by: Jason Hall <jason@chainguard.dev> * Adding boilerplate to dockerfile * Add bash check to bail with exit code 1 if setuid not present Co-authored-by: Jason Hall <jason@chainguard.dev>
GoogleContainerTools · May 22, 2022 · 77ac694 · 77ac694 · gabyx · May 24, 2022
1 parent e22346d
commit 77ac694
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 5 deletions.
diff --git a/integration/dockerfiles-with-context/issue-2075/Dockerfile b/integration/dockerfiles-with-context/issue-2075/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright 2022 Google, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM docker.io/debian:bullseye-slim as base
+FROM base as build
+COPY ["top1", "/tmp/top1"]
+RUN \
+  set -eu; \
+  cp /tmp/top1 /usr/local/bin/top1; \
+  chown root:root /usr/local/bin/top1; \
+  chmod u=rxs,go=rx /usr/local/bin/top1; \
+  ls -lh /usr/local/bin/top1
+FROM base as final
+COPY --from=build ["/usr/local/bin/top1", "/usr/local/bin/"]
+RUN [ -u /usr/local/bin/top1 ]
+LABEL \
+  description="Testing setuid behavior in Kaniko"
diff --git a/integration/dockerfiles-with-context/issue-2075/top1 b/integration/dockerfiles-with-context/issue-2075/top1
diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
@@ -892,7 +892,11 @@ func getSymlink(path string) error {
 func CopyFileOrSymlink(src string, destDir string, root string) error {
 	destFile := filepath.Join(destDir, src)
 	src = filepath.Join(root, src)
-	if fi, _ := os.Lstat(src); IsSymlink(fi) {
+	fi, err := os.Lstat(src)
+	if err != nil {
+		return errors.Wrap(err, "getting file info")
+	}
+	if IsSymlink(fi) {
 		link, err := os.Readlink(src)
 		if err != nil {
 			return errors.Wrap(err, "copying file or symlink")
@@ -902,14 +906,15 @@ func CopyFileOrSymlink(src string, destDir string, root string) error {
 		}
 		return os.Symlink(link, destFile)
 	}
-	err := otiai10Cpy.Copy(src, destFile)
-	if err != nil {
+	if err := otiai10Cpy.Copy(src, destFile); err != nil {
 		return errors.Wrap(err, "copying file")
 	}
-	err = CopyOwnership(src, destDir, root)
-	if err != nil {
+	if err := CopyOwnership(src, destDir, root); err != nil {
 		return errors.Wrap(err, "copying ownership")
 	}
+	if err := os.Chmod(destFile, fi.Mode()); err != nil {
+		return errors.Wrap(err, "copying file mode")
+	}
 	return nil
 }